On Sat, Sep 20, 2014, at 10:09 AM, Gerhard Wiesinger wrote: > Interesting. How long is your knocking sequence? 8 should be enough. Of > course someone with network access can sniff (ISPs, etc.). Nevertheless > it should be very unlikely.
To date, it's been a 5 # sequence. Increasing that # has the obvious advantage. Downside, more ports are opened to listen; not that that matters too much. Here, pattern size&complexity is beneficial. I've considered simply opening a range of, e.g., 1000, high-numbered ports for knockd to listen at, but only *react* to a certain pattern within that range. Advantage, much harder for nmap scans to determine the knock port pattern. Possible disadvantage -- maybe a performance hit, and an increase in attempts against the full range of open ports. Just not convinced either way, yet. I believe there are port-based knock solutions that support encryption -- 'cryptoknock' was one, but seems to be unmaintained. I haven't looked much further yet. > fwknop/SPA is also a nice approach but there are also user land library > dependencies and possible security leaks > (http://www.cipherdyne.org/blog/2012/09/single-packet-authorization-the-fwknop-approach.html). > > Of course iptables might also have a security leak. But as far as I know > there never was any in the past. > > libpcap might also have security leaks, I think there were some in the past. The this-vs-that approach discussion is certainly ongoing. Stateful port-listening knocks have some advantages, but not clear to me how state-keeping scales with # of clients/users. At some point, the performance hit of managing state outweighs that of the libpcap per-packet header analysis. So far, I have not found a good, published quantitative comparison. > OpenVPN has also a nice feature with static key authentication. All > other non matching packets are ignored. Sure. It's a bit heavy for single service access, but is an alternative. For me, SW 'integration' has obvious advantages. OTOH, If I end up with a libpcap-based, external-to-SW accounting solutions, that may decide the knock solution for me. Still have to figure out the effects of packet marking-&-matching for QoS on all of this ^^. Certainly, the cleanest/simplest approach so far seems to be your SW module. Thanks. ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
